header image

Cyber Intelligence Briefing: 5 February 2021

Billy Gouveia, Mona Damian 5 February 2021
5 February 2021    Billy Gouveia, Mona Damian

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

Cyber Threat Intelligence Briefing

Accellion’s legacy product exposes the Office of the Washington State Auditor

  • Attackers exploited vulnerabilities in Accellion’s legacy file transfer product, accessing claims of over 1.4 million Washington state residents. The data stolen include names, social security numbers and bank account details, sparking fears of identity theft and fraud.[1]
  • The product was first exploited in December 2020. The State Auditor says Accellion failed to notify them.[2] A class-action lawsuit against Accellion has been filed.[3]

So what? Increase scrutiny of digital supply chain vendors by conducting regular audits, particularly on applications used for critical data functions. Upgrade away from legacy software products, if feasible.

SolarWinds: Enter China and more vulnerabilities discovered

  • Suspected Chinese hackers exploited another SolarWinds vulnerability to compromise US government agency. An FBI investigation shows the US National Finance Centre, a government payroll system, fell victim to the hackers.[4] Fears remain that further government systems were compromised.
  • SolarWinds has patched three new critical vulnerabilities in its software, including two in its Orion platform.[5] Proof-of-concept code for exploits are due to be released next week.

So what? Ensure that all SolarWinds patches are applied without delay before attackers can exploit the newly discovered vulnerabilities.

E-Skimming victim Costway reinfected by piggyback attacker

  • The actor known as Magecart Group 12 targeted roughly 2,000 previously infected companies to steal credit card details. [6] A known exploit in the deprecated Magento 1 e-commerce platform led to it being infected with malicious e-skimming scripts. Magecart Group 12 leveraged the scripts left by other hackers to steal credit card data from Costway.[7]

So what for security teams? Any companies still using Magento 1 software should immediately migrate to the more secure Magento 2.X software.  

Hezbollah-affiliated hacking group compromised ISPs

  • At least 250 web servers owned by telecoms and Internet Service Providers (ISPs) were hacked. The group, known as Lebanese Cedar, conducted a year-long hacking campaign targeting ISPs and telecoms in the US, the UK, Israel, and other countries.[8]
  • The attacks were designed to gain intelligence and steal databases containing sensitive information. The group exploited outdated Atlassian and Oracle servers to gain access.

So what? This operation exploited outdated vulnerabilities in public facing infrastructure. Make sure any publicly exposed infrastructure is patched and scanned regularly for vulnerabilities.

Patching could defend against zero-days in the wild

  • A quarter of zero-day vulnerabilities discovered in 2020 could have been avoided by patching. Google found that 1 out of 4 zero-days were closely related to previously disclosed vulnerabilities.[9]
  • Threat actors used variations of known exploits to develop new zero-days. In some cases, threat actors altered only one or two lines of code to create a new zero-day exploit.

So what? Patch. Not only could it protect your system from known exploits, it may just prevent a threat actor from deploying a new zero-day.

Ransomware reinfection: Same group compromises company twice in two weeks

  • A ransomware victim paid criminals a seven-figure ransom, only to be reinfected two weeks later by the same gang. The UK government warned that criminals can look to re-deploy ransomware using the same mechanisms against the same victim.[10]
  • Lesson: Ransomware is a symptom of an embedded threat actor. Failing to identify how the actor compromised the network, established persistence, and stole files, led to the unnamed victim paying ransom twice.

So what? While retrieving data is often a priority, remember to conduct a thorough investigation to learn how an actor compromised your system and close any security gaps identified.

Phishing gets real(time)

  • New phishing kit developed to change in real-time, adapting to victim. Dubbed LogoKit, the phishing tool was found installed on over 700 sites in the last month.[11]
  • LogoKit’s script dynamically alters content. The victim is presented with their email address and company logo, to trick them into disclosing corporate credentials.

So what? Phishing tools are getting simpler to deploy and more sophisticated at tricking a victim. Train your employees to spot phishing attempts, no matter how personalised.

References

[1] ‘About the Accellion data security breach’, Office of Washington State Auditor, 3 February 2020.

[2] ‘Banking Social Security info of more than 1.4 million people exposed in hack involving Washing state auditor’, The Seattle Times, 1 February 2020.

[3] ‘Lawsuit filed against California firm over Washington State auditor data breach’, The Seattle Times, 3 February 2020.

[4] ‘Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources’, Reuters, 2 February 2021.

[5] ‘SolarWinds patches critical vulnerabilities in the Orion platform’, Bleeping Computer, 3 February 2021.

[6] ‘Magento stores hit by largest automated hacking attack since 2015’, Bleeping Computer, 14 September 2020.

[7] ‘Credit card skimmer piggybacks on Magento 1 hacking spree’, Malwarebytes, 2 February 2021.

[8] ‘Hezbollah’s cyber unit hacked into telecoms and ISPs’, ZDNet, 3 February 2021.

[9] ‘Déjà vu-lnerability’, Project Zero Blog, 3 February 2021.

[10] ‘The rise of ransomware’, UK National Cyber Security Centre, 29 January 2021.

[11] ‘LogoKit: Simple, Effective, and Deceptive’, RiskIQ, 27 January 2021.

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Mona Damian
Mona damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report